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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 


Period for Reply 

A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) FROM 
THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If the period for reply specified above is less than thirty (30) days, a reply within the statutory minimum of thirty (30) days will be considered timely. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1)S Responsive to communication(s) filed on 7/14/2000 , 
2a)\3 This action is FINAL. 2b)S This action is non-final. 

3) n Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 

Disposition of Claims 

4) S Claim(s) 1-18 is/are pending in the application. 

4a), Of the above claim(s) is/are withdrawn from consideration. 

5) n Claim(s) is/are allowed. 

6) ^ Claim(s) 1-18 is/are rejected. 
?)□ Claim(s) is/are objected to. 

8) n Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) n The specification is objected to by the Examiner. 

10) K The drawing(s) filed on 7/14/2000 is/are: a)n accepted or b)l3 objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) n The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) n Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)n All b)n Some * c)^ None of: 

1 Certified copies of the priority documents have been received. 

2. n Certified copies of the priority documents have been received in Application No. . 

3. n Copies of the certified copies of the priority documents have been received in this National Stage 

application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

Claims 1-18 have been considered. 

Drawings 

5 Figure 2 of the drawings is objected to. In a flow chart, a diamond block indicates a decision the 
system takes which has an affirmative and a negative branch. Block S22 has 3 branches making 
it confusing to understand what is happening. Figure 2 should be redrawn with the appropriate 
standard of 2 branches. Appropriate correction is required. 

10 Figure 3 of the drawings is objected to. There is no indication what happens when the answer to 
"Area read from" is negative as pertaining to diamond S35. Appropriate correction is required. 



Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
15 basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in 
public use or on sale in this country, more than one year prior to the date of application for patent in 
the United States. 

Claims 1-18 are rejected under 35 U.S.C. 102(^as being unpatentable by Nachenberg, 
U.S. Patent No. 6,357,008. 

As per claims 1,7,9, and 17, the applicant discloses the following method which is 
25 anticipated by Nachenberg: 

a) emulating computer executable code in a subject file (Col 7, lines 9-12); 

b) flagging a memory area that is read during emulation of a first instruction in the 
computer executable code (Col 9, lines 5-10); 

c) detecting a modification to the flagged memory area during emulation of a second 
30 instruction in the computer executable code (Col 9, lines 5-10); 
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The applicant should note that claim 9 also claims a processor which is disclosed by 
Nachenberg in the Description of the Preferred Embodiments (Col 6, lines 22-24). 

As per claims 2,8,10, and 18, the applicant discloses the following method which is 
anticipated by Nachenberg: 

a) emulating computer executable code in a subject file (Col 7, lines 9-12); 

b) maintaining a list of memory regions that have been read and then modified during the 
emulation (Col 9, lines 11-14); 

c) determining whether a memory area is read during emulation of a first instruction in the 
computer executable code and whether the memory area is modified during emulation of a 
second instruction in the computer executable code (Col 9, lines 5-10); 

d) updating the list of memory regions to include the modified memory area (Col 9, lines 

11-14); 

e) triggering a viral detection alarm, if one of the listed memory regions is larger than a 
predetermined size (Col 8, lines 1-7); 

The applicant should note that claim 10 also claims a processor which is disclosed by 
Nachenberg in the Description of the Preferred Embodiments (Col 6, lines 22-24). 

As per claims 3 and 13, the applicant discloses the method of claims 2 and 12, 
20 respectively, which are anticipated by Nachenberg (see above) with the following limitation which 
is also anticipated by Nachenberg: 

Wherein the emulation is performed on an instruction-by-instruction basis (Col 7, lines 

55-67); 

25 As per claims 4 and 14, the applicant discloses the method of claims 2 and 12, 

respectively, which are anticipated by Nachenberg (see above) with the following limitations 
which are also anticipated by Nachenberg: 


10 
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a) determining whether a selected one of the listed memory regions overlaps the 
modified memory area (Figure 4B); 

b) updating the selected memory region to encompass the modified memory area (Col 9, 
lines 11-14); 

5 The application should note that step 420 of Figure 4B is the determination step as to 

whether the modified memory area has already been noted. This determination step identifies 
whether the modified memory area has already been noted in whole or in part, so if there is an 
overlap, this step picks that up. 

10 As per claims 5 and 15, the applicant discloses the method of claims 2 and 12, 

respectively, which are anticipated by Nachenberg (see above) with the following limitations 

which are also anticipated by Nachenberg: 

a) determining whether a selected one of the listed memory regions is contiguous with 

the modified memory area (Col 18, lines 5-7; Figure 4B; Claim 16); 
15 b) updating the selected memory region to encompass the modified memory area (Col 9, 

lines 11-14); 

Pertaining to part a), the applicant should note that Nachenberg leaves the determination 
of the virus region in step 420 of Figure 4 open (Col 18, lines 5-7). This means that Nachenberg 
allows for a variety of methods to identify the virus region. Nachenberg also discusses in claim 
20 16 that identifying contiguous sections of modified bytes in memory is an easy way to discern 
whether the viral body has decrypted. Thus, a method to monitor whether a selected region is 
contiguous with a modified region is one of several ways to identify a virus region and is implicitly 
covered in the determination of the virus region step of Figure 4. 

25 As per claims 6 and 16, the applicant discloses the method of claims 2 and 12, 

respectively, which are anticipated by Nachenberg (see above) with the following limitations 
which are also anticipated by Nachenberg: 
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a) determining whether the modified memory area overlaps the listed memory regions 
(Figure 4B); 

b) adding the modified memory area as a new memory region to the list of memory 
regions, if the modified memory area does not overlap any of the listed memory regions (Col 9, 

5 lines 11-14); 

The application should note that step 420 of Figure 4B is the determination step as to 
whether the modified memory area has already been noted. This determination step would 
identify whether the modified memory area has already been noted in whole or in part, so if there 
were an overlap, this step would pick that up. 

10 

As per claim 1 1, the applicant discloses the following apparatus for detecting decryption 
of encrypted viral code with the following limitations: 

a) a code emulator, wherein the code emulator emulates computer executable code in a 
subject file, and outputs memory access information corresponding to the emulated computer 

15 executable code (Col 7, lines 9-12; Col 7, lines 17-21); 

b) a memory monitor, wherein the memory monitor monitors the memory access 
information output by the code emulator, flags a memory area that is read during the emulation of 
a first instruction in the computer executable code, and detects a modification to the flagged 
memory area during emulation of a second instruction in the computer executable code (Col 9, 

20 lines 5-14); 

As per claim 12, the applicant discloses the following apparatus for detecting decryption 
of encrypted viral code with the following limitations: 

a) a code emulator, wherein the code emulator emulates computer executable code in a 
25 subject file, and outputs memory access information corresponding to the emulated computer 

executable code (Col 7, lines 9-12; Col 7, lines 17-21); 

b) a memory monitor, wherein the memory monitor monitors the memory access 
information output by the code emulator, maintains a list of memory regions that have been read 


Application/Control Number: 09/905,533 


Pages 


Art Unit: 2137 

and modified during emulation, determines whether a memory area is read during emulation of a 
first instruction in the computer executable code and whether the memory area is modified during 
emulation of a second instruction in the computer executable code, updates the list of memory 
regions to include the modified memory area, and triggers a viral detection alarm, if one of the 
5 listed memory regions is larger than a predetermined size (Col 9, lines 5-14; Col 8, lines 1-7). 

Any inquiry concerning this communication or earlier communications from the examiner 
should be directed to Kevin Schubert whose telephone number is (571) 272-4239. The examiner 
10 can normally be reached on M-F 8:00-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Andrew Caldwell can be reached on (571) 272-3868. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306, 


15 Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR system, 
see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 
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